Comparing Linux Firewalls

Thumbnail Image
Issue Date
Schuettinger, Jesse
SUNY Polytechnic Institute
firewall , computer network , computer software , Linux , computer operating system , computer virus , computer security
A firewall is a requirement for enterprise-level organizations and is recommended in any network environment. In some cases, a firewall may be necessary, but purchasing a hardware firewall might be out of the scope of the organization’s budget. In this case, depending on the amount of traffic that is expected to traverse the network, an existing unused desktop computer or rack mounted server could become the hardware firewall, reducing the overall cost of the firewall protection. This can be accomplished with a Linux-Based Firewall Operating System. So, to determine what firewall is a best fit for the network, I created a series of tests. These tests will provide comparable data in both an unconfigured and configured firewall environment. With this information, we can better determine which Linux-Based Firewall Operating System would be best for our needs. To compare these firewalls in detail, I decided to test the throughput and latency, determine if the firewall is stateful or stateless, and to see if it can withstand a common attack. To test throughput and latency, I extrapolated the output that iperf gives into a bash script, which outputs a csv file. To determine if a firewall is stateful or stateless, I extrapolated the percentage that outputs into another csv file. The higher the percentage, the more likely the firewall is stateless. To see if the firewall can withstand a xmas tree attack, I created a script that will capture packets while an all-port xmas nmap scan is running. During that capture, the packets are being filtered out to find a response packet holding certain flags in their headers. The script will then determine if those packets existed, and if so, the attack was successful. With these three scripts in mind, we run them under the baseline network, according to the topology. Then, run these scripts again through one non-configured firewall at a time. Then, run the scripts one last time through these firewalls, but with the added configurations. After all these tests are complete, the numerical and graphical data resulting from the output files will help determine which firewall performs best. Ipfire was designed with security as a very high priority. Doesn’t come as much of a surprise, but ipfire does take their security very seriously. In my experiment, and based on their website, this open-sourced firewall implicitly blocks practically anything that tries to establish a connection from the outside. Ipcop is like ipfire, but it is geared towards SOHO environments. Making it one of the most user-friendly open-sourced firewalls available. Out of all three firewalls I’ve chosen for this experiment, ClearOS was “clearly” the outlier of the bunch. After playing around with this one, I had the impression that there wasn’t a command line interface associated with this build. It has an interactive menu that can be accessed directly, and has a user-friendly web interface as well. After some research and further interaction, I discovered that there is a command line. So, I could implement the configurations into the system.
Poster Presented at the 2017 SUNY Polytechnic Institute Student Project Showcase